Default OpenBSD Web Server
server "default" {}
nice default servers for httpd(8)
The most underused feature of the httpd HTTP daemon is the default server.
The default server is automatically used by httpd(8) in the absence of a custom server configuration.
Using default servers can simplify website hosting.
- reduce configuration clutter
- simplify webhosting operations
- keep your custom servers or add new ones
- keep your existing apps or add new ones
To add a new website, simply create a directory and configure TLS.
- default http server to redirect the request scheme "http" to "https"
- opt-in https server to redirect the parent domain to its "www" subdomain
- default https server with dynamic document root
Let's add the www.example.com website using default servers.
please keep reading, a reward for all defaulters' waiting at the end
Add DNS resource records A[AAA] or CNAME for your domain(s)
example.com. IN A 203.0.113.4
example.com. IN AAAA 2001:0db8::4
www.example.com. IN CNAME example.com.If needed, include pf.conf.defaulter in /etc/pf.conf
# pf.conf
# Allow traffic on port 80 and 443 to and from the external interface
#
anchor "defaulter" on egress {
# inbound for relayd
pass in log proto tcp to (egress) port { http https } \
keep state (max 500, max-src-conn-rate 100/10)
# outbound for other services and apps
pass out log proto tcp from (egress) to port { http https }
}
anchor "relayd/*"
...Install and configure httpd.conf
Add the parent domain example.com alias to redirect it to www.example.com:
# httpd.conf
server "defaulter https redirect to www" {
alias "example.com"
...rcctl reload httpdmkdir /var/www/htdocs/www.example.com
echo Hello > /var/www/htdocs/www.example.com/index.htmlInstall and configure relayd.conf
To initialize relayd without certificates, comment out the relay "https" and "https2" as well as the tls keypair statements from relayd.conf
rcctl restart relayd# acme-client.conf
domain www.example.com {
alternative names { example.com }
domain key "/etc/ssl/private/www.example.com.key"
domain full chain certificate "/etc/ssl/www.example.com.crt"
sign with letsencrypt
}
...acme-client -v www.example.com
ocspcheck -vNo /etc/ssl/www.example.com.{ocsp,crt}Uncomment the earlier comments from relayd.conf
Add the www.example.com keypair:
# relayd.conf
tls keypair www.example.com
...rcctl restart relaydFor the promised reward, please note that subsequent TLS modifications only involve acme-client and changin the tls keypair for relayd.
Install daily.local for daily updates:
# daily.local
name="$(awk '/^[[:space:]]*tls keypair/{printf "%s ",$NF}' /etc/relayd.conf)"
for n in ${name}
do
next_part "Let's Encrypt $n"
acme-client -v $n
ocspcheck -vNo /etc/ssl/$n.{ocsp,crt}
done
rcctl restart relayd